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(4) If the alternatives in paragraphs 
(b)(1) through (b)(3) of this section are 
not available, the agency may consider 
placing the administrative law judge in 
a paid non-duty or administrative 
leave status. 

(c) Exceptions from procedures. The 
procedures in paragraphs (a) and (b) of 
this section do not apply: 

(1) In making dismissals or taking 
other actions under 5 CFR part 731; 

(2) In making dismissals or other ac- 
tions made by agencies in the interest 
of national security under 5 U.S.C. 7532; 

(3) To reduction in force actions 
taken by agencies under 5 U.S.C. 3502; 
or 

(4) In any action initiated by the Of- 
fice of Special Counsel under 5 U.S.C. 
1215. 

Subpart C — Information Security 
Responsibilities for Employees 
who Manage or Use Federal 
Information Systems 

Authority: 5 U.S.C. 4118; Pub. L. 107-347, 
116 Stat. 2899. 

Source: 69 FR 32836, June 14, 2004, unless 
otherwise noted. 

§930.301 Information systems security 
awareness training program. 

Each Executive Agency must develop 
a plan for Federal information systems 
security awareness and training and 

(a) Identify employees with signifi- 
cant information security responsibil- 
ities and provide role-specific training 
in accordance with National Institute 
of Standards and Technology (NIST) 
standards and guidance available on 
the NIST Web site, http://csrc.nist.gov/ 
publications/nistpubs/, as follows: 

(1) All users of Federal information 
systems must be exposed to security 
awareness materials at least annually. 
Users of Federal information systems 
include employees, contractors, stu- 
dents, guest researchers, visitors, and 
others who may need access to Federal 
information systems and applications. 

(2) Executives must receive training 
in information security basics and pol- 
icy level training in security planning 
and management. 

(3) Program and functional managers 
must receive training in information 
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security basics; management and im- 
plementation level training in security 
planning and system/application secu- 
rity management; and management 
and implementation level training in 
system/application life cycle manage- 
ment, risk management, and contin- 
gency planning. 

(4) Chief Information Officers (CIOs), 
IT security program managers, audi- 
tors, and other security-oriented per- 
sonnel (e.g., system and network ad- 
ministrators, and system/application 
security officers) must receive training 
in information security basics and 
broad training in security planning, 
system and application security man- 
agement, system/application life cycle 
management, risk management, and 
contingency planning. 

(5) IT function management and op- 
erations personnel must receive train- 
ing in information security basics; 
management and implementation level 
training in security planning and sys- 
tem/application security management; 
and management and implementation 
level training in system/application 
life cycle management, risk manage- 
ment, and contingency planning. 

(b) Provide the Federal information 
systems security awareness material/ 
exposure outlined in NIST guidance on 
IT security awareness and training to 
all new employees before allowing 
them access to the systems. 

(c) Provide information systems se- 
curity refresher training for agency 
employees as frequently as determined 
necessary by the agency, based on the 
sensitivity of the information that the 
employees use or process. 

(d) Provide training whenever there 
is a significant change in the agency 
information system environment or 
procedures or when an employee enters 
a new position that requires additional 
role-specific training. 
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